You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Observe access mode with stat ~/.config/Bitwarden/data.json
Expected Result
~/.config/Bitwarden/data.json should have access mode 0600/-rw-------.
Actual Result
~/.config/Bitwarden/data.json has access mode 0666/-rw-rw-rw-. If the mode is manually changed to 600 with chmod 600 ~/.config/Bitwarden/data.json, the application will change it back to 666.
Screenshots or Videos
No response
Additional Context
I have also witnessed briefly a temporary file of the form data.json.tmp-xxxxxxxxxxxxxxxx with access mode 0644/-rw-r--r-- on application launch.
There are also some symbolic links SingletonCookie,SingletonLock, and SingletonSocket that have mode 0777/lrwxrwxrwx that exist as long as the application is open; one of these appears to store a sensitive variable, and symlinks cannot have access mode other than 777.
Operating System
Linux
Operating System Version
openSUSE Tumbleweed x86_64 20240423; kernel 6.8.7-1-default; KDE Plasma 6.0.4
Installation method
Direct Download (from bitwarden.com)
Build Version
2024.4.1
Issue Tracking Info
I understand that work is tracked outside of GitHub. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
The text was updated successfully, but these errors were encountered:
Thank you for this report. Just to make sure that you and I are on the same page, how did you install that Bitwarden desktop client?
To be clear, we have captured this matter internally with regard to the .AppImage release, and we received a similar report about the Export function here.
I downloaded the latest AppImage from https://bitwarden.com/download and moved it to ~/bin/Bitwarden-2024.4.1-x86_84.AppImage.
Launching the application by executing Bitwarden-2024.4.1-x86_84.AppImage in a shell will cause this issue.
Also, I have the daemon appimaged which automatically generates this desktop file ~/.local/share/applications/appimagekit_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-bitwarden.desktop; launching the application with this desktop file leads to the same result:
[Desktop Entry]Name=Bitwarden
Exec=/home/exin/bin/Bitwarden-2024.4.1-x86_64.AppImage
Terminal=false
Type=Application
Icon=appimagekit_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_bitwarden
StartupWMClass=Bitwarden
X-AppImage-Version=2024.4.1
GenericName=Password Manager
Comment=A secure and free password manager for all of your devices.
MimeType=x-scheme-handler/bitwarden;
Categories=Utility;
TryExec=/home/exin/bin/Bitwarden-2024.4.1-x86_64.AppImage
X-AppImage-Comment=Generated by appimaged 10
X-AppImage-Identifier=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thank you. Yes, this matter has already been captured internally, and we're looking into it; I will this external GitHub report open for visibility for the time being.
Steps To Reproduce
rm -r ~/.config/Bitwarden
stat ~/.config/Bitwarden/data.json
Expected Result
~/.config/Bitwarden/data.json
should have access mode0600/-rw-------
.Actual Result
~/.config/Bitwarden/data.json
has access mode0666/-rw-rw-rw-
. If the mode is manually changed to 600 withchmod 600 ~/.config/Bitwarden/data.json
, the application will change it back to 666.Screenshots or Videos
No response
Additional Context
I have also witnessed briefly a temporary file of the form
data.json.tmp-xxxxxxxxxxxxxxxx
with access mode0644/-rw-r--r--
on application launch.There are also some symbolic links
SingletonCookie
,SingletonLock
, andSingletonSocket
that have mode0777/lrwxrwxrwx
that exist as long as the application is open; one of these appears to store a sensitive variable, and symlinks cannot have access mode other than 777.Operating System
Linux
Operating System Version
openSUSE Tumbleweed x86_64 20240423; kernel 6.8.7-1-default; KDE Plasma 6.0.4
Installation method
Direct Download (from bitwarden.com)
Build Version
2024.4.1
Issue Tracking Info
The text was updated successfully, but these errors were encountered: